IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] FreeS/WAN an Win2000 with x509 Certificates problems

From: Holger Marzen (holger_at_marzen.de)
Date: Sun May 26 2002 - 10:47:56 CEST

On Sun, 26 May 2002, Andreas Steffen wrote:

> FreeS/WAN should sign its MR3 message using its own
>
> /etc/ipsec.d/private/muckelKey.pem
>
> and not the CA's private key cakey.pem !!!
>
> In any case, the CA's key is too valuable to lie around
> on a border-line security gateway. Please put it either
> on a floppy or keep it on a box behind the firewall.

Oh, stupid me! After replacing the key I get a bit further, and
Win2000's ipsecmon says "Oakley Hauptmodi ... 1".

The next showstopper is:

 Pluto[13668]: "rw" 10.66.53.100 #2: we require PFS but Quick I1 SA
 specifies no GROUP_GROUP_DESCRIPTION
 Pluto[13668]: "rw" 10.66.53.100 #1: Quick Mode I1 message is
 unacceptable because it uses apreviously used Message ID 0x26d36719
 (perhaps this is a duplicated packet)

 As the Parameters on Win2000 I have IKE/3DES/SHA1/medium.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST